formbook | e5142b32498bf308fe74c79a3c5b308f1eff5319da59a134bd55fcb0644785fe | Triage

Submit
Reports

Overview

overview

Static

static

shellcode.exe

windows7-x64

shellcode.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

shellcode.zip
Size

50KB
Sample

221012-nlnhyaddc7
MD5

068d063826f24d0454f5a8aaa995e67d
SHA1

686ee0c1bcedb312d25eef5118f3acc19f627793
SHA256

e5142b32498bf308fe74c79a3c5b308f1eff5319da59a134bd55fcb0644785fe
SHA512

a88f70e0586686366e4f34294fad993b3e6cf2469b71319668d6da13b7e04026c4184c496a0bd7047c7f490c3be07c3029b3882e96628f8f3278cb9ab80ec436
SSDEEP

1536:idNjM0BrzOCfUWFOsLnzMvo9mExubyCW2TuQndc:N0NzOCfUiOsLnzMvWxu+5guz

Score

10^/10

formbook guloader cprp downloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

shellcode.exe

Resource

win7-20220812-en

formbook guloader cprp downloader persistence rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

shellcode.exe

Resource

win10v2004-20220812-en

formbook guloader cprp downloader persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cprp

Decoy

hotspringsfamilyfirstcare.com

xn--korotbarsch-qfb.com

skilletmagic.com

bolivarbarrera.com

nycnursinghome.com

sareedamariecollection.net

vj-od.com

tribecatruevalue.com

pruvex.com

atahualpaproducciones.online

fdgtsw.xyz

evengine.xyz

premiertorontolimo.com

katebrown.design

thrivecst.com

bestcapping.com

legendsaystodayoutcome.xyz

frailscar.online

luzyrvo.com

acpnortheast.com

phatempowers.com

pastmarkapp.com

dossier-ccf4.com

vestigate.info

eldoradosaddle.com

jed888.com

softballhitters.com

confirmpage-67890556.site

yoderma.com

ohexpressinc.com

bluecollarstart.com

kuntemane.com

discussevery.sbs

deepswaveslogistic.com

karinaespinoza.com

advisedygo.com

thefivefactors.com

cqxinqi.com

csthomas-cpa.com

yourfavorite.space

parchmentcanvas.com

wingontravelhx.com

greencareershub.com

decocting.com

hbo-max.site

vwearshop.com

mixvely.tech

activebeinc.com

emilie-coiffure.com

lumbaru.xyz

casademilo.com

9sfh0.sbs

lacenterimpots.com

rallybel.info

wbgj.bet

adultconsider.sbs

reefswan.com

banzai-ltd.com

zzkwx.com

lxyzl.com

servers-icloud.com

stargazingwithkevin.com

mentoredwhileyouwork.services

organizadordemaquillaje.com

aceofparsons.com

Targets

- Target
  
  shellcode.exe
- Size
  
  1.0MB
- MD5
  
  09ea8a8f6f4b41e779c728bb9060e21d
- SHA1
  
  1bb85f6634b32ead5eb164bc7bf80aa36299e006
- SHA256
  
  1df4dc12c0118cb36a33456ace897124540bc1d6553554ad7334bee2ae8aa834
- SHA512
  
  6019ceeba9f6ee6dc1ddacf2f12324b71a18172eb975977de01e50c2eca6b6162630395423800c8c222f7b0387cef2be8b896038d2484be187d1e8500079662f
- SSDEEP
  
  1536:vh3LTV30kb217S/Y4rGm/It3Rg7UvDafGRyF6v:vBLTV30717UBGH9RAUvDKeW6v
Score

10^/10

formbook guloader cprp downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookguloadercprpdownloaderpersistenceratspywarestealertrojan

behavioral2

formbookguloadercprpdownloaderpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy